It's less TalkTalk, more StalkStalk: the UK's second largest ISP has quietly begun following its customers around the web and scanning what they look at for a new anti-malware system it is developing.
Without telling customers, the firm has switched on the compulsory first part of the system, which is harvesting lists of the …

COMMENTS

Page:

Actually...

Opal Telecom is what TalkTalk is known to BT Openreach as. Opal Telecom was bought by CPW in the early 2000's and then launched TalkTalk.

If your on TalkTalk and do a speed test your provider will show as Opal Telecom. It costs a small fortune to have the name changed from Opal Telecom to TalkTalk through Openreach, so they just left it.

Sooo

If you're a virus vendor you don't send malware to these easy to find IP's or like some malware we've seen before only punt to random users so there's a good chance the site will be missed or even flagged as clean (whitelisted).

Still, suppose it's scuppers some of the lower level crud.

Now if ISP's worked together on these lists that would be brilliant, but of course they won't as they're trying to push a USP.

I agree

There is simply no need for this invasion of privacy (and I am a TalkTalk customer). Had I known, I would have opted out as I do not require this level of nannying from my ISP. I want my ISP to be an efficient, yet dumb, data pipe. That is all.

And how do they determine what is a threat. Many "threats" only target some systems, so an attack on XP may not work on Win7 and almost certainly will not work against a real OS.

It also leads to end-user complacency. "I do not need any firewall or AV as my ISP protects me." Cue TalkTalk customers getting data-raped by a zero-day that basic measures could have prevented.

Up to know I have been happy with TalkTalk and was pleased at their stance on Phorm. This action gives me serious misgivings and I will watch it with interest.

I wonder if this is serious enough to complain to the ICO about....not that they'll do anything of course.

Goodness knows what other websites are now "broken" because of this, but there are surely more complaints than ususal on the TalkTalk members forums:

http://www.talktalkmembers.com/forums/forumdisplay.php?f=9

http://www.talktalkmembers.com/forums/forumdisplay.php?f=37

I always thought thet intercepting PRIVATE communications without the consent of both parties was in breach of RIPA?

Actually, this is more like a hybrid between Kindsight and Phorm.

www.kindsight.net - also operate in "stealth mode" but have their old Project Rialto crawlers that independently spider the net rather than tracking individual users. The ISP's then use DPI to track users. Will TalkTalk have plans in this direction?

Much as

I disagree with TalkTalk's policy on this, surely they would argue that just tracking the URLs is not intercepting private communications - they would say it's not like steaming open the envelope, but just looking at the address on the outside.

Re: steaming open the envelope

That's not how the HTTP protocol works. Your browser contacts the server (using that readily harvestable IP address) and then sends an http message requesting the URL. Purely from a protocol point of view, both the outgoing URL and the web page sent in reply are part of the (private) conversation between your machine and the web server. If you are using HTTPS, this whole conversation is sent within the encrypted channel, so snoopers can't see the URL or the web page.

What they /can/ see, in either case, are the source and destination IP addresses of the packets. If TalkTalk had simply collected those, they'd be on much firmer legal ground and they'd probably have built up almost as good a collection of "places our users have been".

Well actually...

Wrong

Reading any information not destined to you is intercepting communications. Imagine if TalkTalk stumbled upon some sensitive data that's not to be released to the public (confidental private/company docs, gov/mil/edu docs that are nocirc, etc.). They'd be accountable for it as the logs would plainly see and could easily be sued or have criminal proceedings on them for it. It doesn't matter if that agency or entity's security is poor, it would easily stand up that TalkTalk used an exploit (since I doubt their system does any error checking to see whether or not the URL is "followable", using blind logic).

They are not just harvesting the pages visted

Glad I don't use Talk Talk.

Even taking their word for it that they could never siphon off people's personal data or add sites to the blacklist for any reason other than because they host malware, it still strikes me as a waste of time and money.

Of course anyone with the wit to keep their computer safe online probably isn't using Talk Talk, so if this actually DOES keep their customers marginally safer then that can't be a bad thing. But one does wonder why a bargain basement ISP would spend all this money implementing such a system 'out of the kindness of their hearts'. It's hard to believe that it won't be used as a revenue generator somehow.

And I don't suppose "free" malware protection is much of a selling point as those who really need it don't know what malware is and therefore don't care while those who don't need it obviously don't care either.

Other ways to protect users

Comrades,

I used to work for a content security company who won a deal with a major ISP for a similar capability (ie. detection of infected broadband subscribers). In that case the equipment simply monitored outbound traffic from the subscriber to detect Port 25 packets. This gave an extremely high probability that this subscriber was infected, and was acting as part of a botnet.

(Note, I know that botnet technology has moved on, but even today a simple Port 25 test would probably find over 90% of user infections).

Note that the tiny % of ISP customers who run their own mail servers (and therefore generate legitimate Port 25 traffic) can request to be put on a "white list" so they do not receive repeated warnings.

The company I worked for unfortunately was not successful commercially. The problem is that, while it is useful for an ISP's customers to be warned if they are infected, there is nothing in it for the ISP. It's not worth the ISP paying for the solution.

This leads the ISP to consider dodgy systems like Phorm, and maybe the one described here. In other words the ISP tries to make some money out of it.

I spoke to a number of security guys in some very large ISPs around the world and they told me that they thought that 25-33% of their subscribers were infected.

This did not surprise me because the average UK broadband user has no clue about how to protect themselves on the Net.

TalkTalk may well have had the good of their customers in mind here - let's give them the benefit of the doubt. But they don't seem to have handled this situation very well. If they had been honest with their users it would have been much easier for them. I guess ISPs never learn.

Also, FYI, TalkTalk does not have Ellacoya DPI boxes in their network (unlike other UK ISPs like BT). They use Sandvine boxes instead. The Sandvine boxes are not in-line with user data, so they do not have the same active DPI capabilities as a result.

free malware prevention

all current browser have malware solutions built in so like phorms attempt to use this as a "value add service" to get around PECR, TT will fail if they then try to launch another service based on the data provided

as how can a service be "value add" when the same service is available free in all current browsers?

there has to be money behind anything like this and it is normally advertising

any TT users able to see if cookies are being set for each site you visit?

Neff

Since the tracking servers are their Radius Servers, there's no need for TT to place or modify other site's cookies as they know all your subscriber details anyway. Much of the Phorm database was a "distributed database" placed in modified cookies all over users machines as Phorm had no access to subscriber details and no other way to identify you, all TT have to do is to warehouse your sites visited in their own datacenters and can log this against your subscriber details - which they know as unlike the BT Broadband service, users have to authenticate with a userid and passy (unless sonebody tells me (I'm wrong about that).

So, customers cannot opt out of being tracked,

Ah, and what about Data Protection Laws?

Hmm, I would be interesting to hear if any of the customers signed up to the collection of their web activities. As far as the excuse goes, I cannot see any reason to make such information personally identifiable, so I think a nice deep audit of the Office of the Information Commissioner may be in order. If they indeed don't track people individually I don't think it's a big deal - provided it stays that way. There are all these information hungry sharks out there would would sell their grandmother for this data, so once you have a the facilities in place a small "oopsie" a la Google WiFi collection is quickly made.

AFAIK (IANAL), permission for collection of personally identifiable information MUST be EXCLUSIVE (i.e. as a separate permission statement), it cannot be INCLUSIVE (as 4 point light grey text on a white background somewhere in a contract), and even if permission was granted you ought to be able to withdraw it.

Smells like a nice case for the Information Commissioner's Office to demonstrate on whose side it is - get a few people to file a complaint.. Just give me a moment while I grab some popcorn first, because that could become rather entertaining...

Failing at Law

Site owners

I can see site owners banning the StalkStalk IPs from their servers and maybe even having other fun messing with this system. It will probably do something dumb like those web crawler thingies* that can hog your web-server resources by downloading a zillion* pages per second or something silly!

why not use existing services

rather than re-invent the wheel why don't they partner with someone like OpenDNS (http://www.opendns.com/familyshield) or http://www.stopbadware.org/ and make those services better for everyone rather than addig yet another partial solution (especially one that relies on stalking users without their consent)

suggests a very poor grasp of copyright law. I wonder if he is equally ropey on RIPA, PECR and DPA. Luckily for him, our UK regulators are very very lax and soft on ISPs, the ICO has a six month backlog and no signs of wanting to protect ISP consumers, our police forces don't seem to understand about RIPA when it comes to commercial companies intercepting communications, and our CPS seems only able to sit on its hands (651 days so far thinking about the Phorm/BT case).. So TalkTalk will get away with it. Just like BT did. But at least they are getting some bad PR and more on the way hopefully.

The story seems to be unfolding in an uncannily similar way to the Phorm scandal in Feb 2008. Next stop the stumbling stuttering TV interview on Channel 4 about how it is all legal and they have sought er obtained er legal advice er opinion, thingy, sort of. And if it is on the internet, anyone can copy it.

Tell us EXACTLY

We need TT to tell us exactly what they are recording. For example, are they only recording URLs? What about other things from the HTTP message (like cookies, etc)? Do they store the whole URL or do they truncate at the first "?"? Do they record only GET URLs or others (POST, PUT, DELETE, etc)? Is the data definitely destroyed after 24 hours (no backups, logs, etc)?

And what does their spider do? Does it honour robots.txt? Does it only issue GET methods? Does it include any cookies in the request? How does the website tell that this is coming from their spider?

This just looks like more and more reason to put all browsing through a secure VPN. Maybe Opal can rent me one :-)

Lies

Not sure who this persons source is but they are so far from the truth they wouldn't know it if it hit them on the head.

I can assure you we don't monitor peoples online activity!!!!! Hope this put some of your minds at rest

__________________

Stephen Fell

TalkTalk`s Online Community

Meet the forum staff and ensure you know Who`s Who

Then this .What arguement just simple truthful answers not as above .

Hi all,

Not going to comment any further as some people just want an argument, official statement to follow!!

Regards

__________________

Stephen Fell

TalkTalk`s Online Community

Meet the forum staff and ensure you know Who`s Who

Link to thread on TTMF. http://www.talktalkmembers.com/forums/showthread.php?t=46565

I checked this morning to see if i was followed with a test set up on Phoenix Broadband .It took them 4 seconds to follow .Thread on phoenix here http://www.the-phoenix-broadband-advice-community.co.uk/index.php/topic,1828.0.html

The owner was aware in may and has done alot of tests for TT customers .

What about PPC ads?

What about PPC ads? Where an advertiser pays per click.. does this mean that some PPC ads are being "clicked" more than because of this crawler? It's clear that it could cause all sorts of mischief on other similar systems too.

It's not actually a hugely bad idea though.. if you could opt in to it, that is.

I'm highly skeptical.

A) An ISP should have neither the right nor responsibility to censor my internet access whatever their motive.

B) I think they are lying about their motives and objectives. Businesses exist to make money, they have a plan to monetize this and given their secrecy, they are going to do it in a way that if know would alienate their customers.

C) I can already opt-in to similar protection via Web Of Trust (highly recommended), Web Security Guard and probably dozes of other browser add-ons that will check malicious websites against various blacklists. I think a similar feature is build into I.E. 8. The difference here being I chose what protection I want and who I want to obtain it from.

But what can an ISP do?

Personally I think they should limit themselves to "side tracking" known infected PCs, perhaps with some intranet thingummy with clean-up tools. Keep an eye on spam and abuse reports, (dns)blacklists, promptly act on noticing something on their network has gone bad. And if they must, well, malware checking already exists, though it neither is infallible nor very controllable. At least it does let you opt-out, which these bozos can't seem to get licked.

What ISPs certainly shouldn't be doing is pre-emtively break the law to forestall regulation. That just gets them sued, and rightly so. Worse, it gives entirely the wrong signal to the already befuddled politicos. How stupid can you get? Don't answer that. "IWF". 'nuff said.

havent seen it

WooHoo - a new friend!

My ISP is interested in my completely boring life? They really must be scraping that barrell thingy. Sad bastards. I can't even remember how old the phone tap law etc is - applies the same as far as I can see!

If it makes you feel any better...

Charges?

As someone who's worked in the web hosting industry before, I have to wonder how much scraping TalkTalk is doing on sites it "checks". Does it just grab the page and scan, or does it download the entire shebang and run it through some heuristics engine? If it's the latter, I have to wonder just how much they're costing webmasters in bandwidth fees.

Dissapointed

I am very dissapointed to read this. Notwithstanding the privacy issues, I have noticed an apparent falloff in performance recently. I had attributed this to the World Cup, but the reduced performance has continued. Bandwidth and all that.

The secrecy of the trial mitigates heavily against TalkTalk integrity and intentions. It'll be hard for them to dig themselves out of the hole which they have dug for themselves.

if (ip_is_from_stalkstalk($ip)){

Interception? An analysis.

TalkTalk have modified their network so as to make URLs available (to themselves, so they can do things with them). The exception for traffic data in RIPA ss.2(5) does not apply, as parts of URLs are considered to be content, not traffic data (generally speaking the parts after the third slash, but see RIPA ss.2(9)).

TalkTalk's action therefore falls under ss.2(2) of RIPA, and is thus interception. I don't think there is much doubt or wiggle room there, if any.

Next, is it lawful interception, or not? TalkTalk are perhaps in a better position than Phorm were, as they can argue that their action is lawful under RIPA ss.3(3), like virus or spam filtering of emails.

However unlike virus and spam filtering of emails, TalkTalk's action was not necessary, nor was it done, to protect the service - the web would still work fine [*] without it, while email would, or so it's argued, fail entirely if spam and virus filtering wasn't done.

TalkTalk's action would be made lawful by ss.3(3) if it was done "for purposes connected with the provision or operation of th[e telecommunications] service".

I think instead it was done in order to provide an extra service on top of the basic telecomms service, and thus s.3(3) does not apply - it only applies to the basic message-passing service (passing bits), see the definition of "telecommunications service" in ss.2(1).

@PF1

"TalkTalk have modified their network so as to make URLs available (to themselves, so they can do things with them)."

Not quite. The indication is that they have allowed Huawei to install equipment in the Radius, probably supplied by Huawei as well which gifts the URL's to Huawei so that Huawei can visit those URL's and profile the content.

We know it works...

Clearly, using tried-and-true technology from the Great Firewall of China. It automatically scans any websites for any suspicious content (like "Falun Gong") and black lists the site. All "Chinese vendor Huawei" have to do is build up the new database of sites to block, which they are doing now.

My god...

Sniffing URL's is one thing, and a bad one at that, furthemore blocking IP addresses that StalkStalk deem inappropriate is a huge issue - virtually everyone knows that blacklists being created and used to block IP's is a very harmful method.

I'll chime in also with calling for Talk Talk to disclose how they farm the URLs in the first place. That's the illegal part IMO.

What I don't understand, if Talk Talk actually wanted to protect customers is implement network-wide IPS, using something like Snort. It's open source, and it's far more sensible than this sniffing, and will only block reactively when an attack is happening. It's also far more cost effective to harden these network wide servers than all consumer's routers too...

It makes no sense.

What's really hilarious is the idea that TalkTalk's customers have some sort of collective conciousness. As TT say...

"In preparation for the launch of these services, as our users surf the internet, details of websites visited are put into a list. Scanning engines then compare this list to a blacklist (sites that have been found to contain recent threats) and whitelist (sites that have been recently scanned with no threats found); if the site is not on either of these, it will visit the site and scan it for malicious code. Sites that are already on either list are not scanned again until the following day."

In other words, TT are simply creating an updated blacklist based on sites that other TT customers have visited. If you are the first visitor to a site your on your own - the site isn't checked until AFTER you've been exposed to any risks. It also appears that any site visited by a TT will be continually monitored even if no-one ever visits that site again.

The whole concept is ridiculous - it only works if all TT customer only ever visit the same sites as each other or if TT scan the entire contents of the www at least once a day. If such a system was even possible, the costs involved would be so high that it would make far more sense for every ISP to be involved as a joint venture with the blacklist being shared amongst them with the whole process and system being overseen by an external watchdog to ensure that standards are met, the system is not abused and website owners have a means of appealing against incorrect (or malicious) flagging of their sites as "dangerous".

I can't believe that senior staff at TT aren't aware of the shortcomings in their explanation which makes me think that - like so much spyware - the security angle is just a front for spyware.